pub fn validate_policy(
capabilities: &BackendCapabilities,
policy: &SandboxPolicy,
) -> Result<(), ExecutionError>Expand description
Validates that the backend can enforce the requested sandbox policy.
Returns Err(ExecutionError::UnsupportedPolicy(...)) if any requested
control cannot be enforced by the backend. This implements fail-closed
semantics: execution is rejected before user code runs.
§Checks
- Network policy: if disabled, backend must be able to enforce it
- Filesystem policy: if any access is requested, backend must enforce it
- Environment policy: if any variables are exposed, backend must enforce it
- Timeout: backend must always be able to enforce timeouts